Intrusion Detection

[Chimera]

I was just switching from The Pit to MPSIMS when the page stalled out and my AV detected an intrusion attempt from www.erpoi.org.in.

9:32pm Central, November 15, 2010.
Source address 194.8.250.113

[armedmonkey]

I just got something weird, too. It read:

Reported Attack Page!

This web page at checkwinonline.com has been reported as an attack page and has been blocked based on your security preferences.
Attack pages try to install programs that steal private information, use your computer to attack others, or damage your system.

Some attack pages intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.

I wasn’t sure what that was so I didn’t click through. I have no idea what “checkwinonline.com” is (seems like it may be some “free virus scan” bullshit). Could these problems be related to the maintenance Ed did tonight?

[TubaDiva]

I’m not finding the first complaint listed anywhere.

“Checkwinonline.com” appears to be from Russia. It’s not on our pages.

http://www.adrolling.com/checkwinonline.com

[Canadjun]

TubaDiva:

I’m not finding the first complaint listed anywhere.

“Checkwinonline.com” appears to be from Russia. It’s not on our pages.

http://www.adrolling.com/checkwinonline.com

Here’s stuff on the first one, courtesy of Google

Google:

Safe Browsing
Diagnostic page for erpoi.org.in

What is the current listing status for erpoi.org.in?

Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 7 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-11-15, and the last time suspicious content was found on this site was on 2010-11-15.

This site was hosted on 1 network(s) including AS29557 (ASNOVIFORUM).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, erpoi.org.in did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 7 domain(s), including flatplanet.tv/, familyguyhentai.net/, free-zoo-sex.net/.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

Next steps:

* Return to the previous page.
* If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.

[joebuck20]

A Monkey With a Gun:

I just got something weird, too. It read:
I wasn’t sure what that was so I didn’t click through. I have no idea what “checkwinonline.com” is (seems like it may be some “free virus scan” bullshit). Could these problems be related to the maintenance Ed did tonight?

I just got the same thing too.

[ratmanizhere]

I was just hijacked on the “In My Honest Opinion” board by some virus scan BS site. Luckily my installed virus blocker stopped it before anything major happened!

[campp]

Same here, got some cootie somehow

[Ed_Zotti]

I’ve reported this to our contacts at Rubicon, our ad provider.

[armedmonkey]

So any news on this? I’m not complaining. The problem only happened once, and I was not able to replicate it. However, I am curious as to what caused it. I’m running Firefox with AdBlock. Again, it only happened the once, and no harm done on my end. I’m just curious.

[BigT]

I can give you the basic idea of how this happens: The ad provider is given an ad to what seems to be a legitimate site. But, either through hacking or, more likely, original design, the ad actually redirects to another page every so often, and that other page is the one that hosts the actual malware. If done well, it becomes really hard to know which ad was the problem.

I think the best ad providers actually reverse engineer the code of ads to make sure they don’t do this, or something. But smaller ones can’t afford to do this.

[Dan_Norder]

Slightly different but same situation so I am posting it here:

While trying to open a thread in Cafe Society the tab got redirected to [link removed] one of those fake “OMG, you’ve got major viruses so your copy of Windows will not work!!!`!!one!” sites with a fake Windows virus alert screen (on my Mac) that continuously tries to force download a setup.exe application which is clearly malware.

Closing the window and reopening the same thread didn’t bring it up, which means it’s most assuredly a rogue ad doing it that didn’t happen to be loaded that time.